
TSINGHUA SCIENCE AND TECHNOLOGY ISSNll1007-0214 0?/?? pp???–??? DOI: 1 0 . 2 6 5 9 9 / T S T . 2 0 2 0 . 9 0 1 Volume xx, Number x, xxxxxxx 20xx Trident: Efficient and Practical Software Network Monitoring Xiaohe Hu, Yang Xiang, Yifan Li, Buyi Qiu, Kai Wang, Jun Li∗ Abstract: Network monitoring is receiving more attention than ever with the need for Self-Driving Network to tackle increasingly severe network management challenges. Advanced management applications rely on traffic data analysis, which requires network monitoring to flexibly provide comprehensive traffic characteristics. Moreover, in virtualized environments, software network monitoring is constrained by available resources and requirements of cloud operators. This paper proposes Trident, a policy-based network monitoring system at the host. Trident is a novel monitoring approach, off-path configurable streaming, which offers remote analyzers a fine-grained holistic view of the network traffic. A novel fast path packet classification algorithm and a corresponding cached flow form are proposed to improve monitoring efficiency. Evaluated in practical deployment, Trident demonstrates negligi- ble interference with forwarding and requires no additional software dependencies. Trident has been deployed in production networks of several Tier-IV datacenters. Key words: Cloud Networking; Software Network Monitoring; Network Programmability; Network Management 1 Introduction Self-driving Planning Perception Applications Network management has been more challenging than Control DSL Analytics DSL Policy ever as network complexity dramatically increases and Control Plane Controllers Analyzers failures become severe and knotty. Following the great success of Software-Defined Networking, the vision Data Plane Forwarding and Monitoring of Self-Driving Network has been proposed to apply data-driven modeling and machine learning to traffic Fig. 1 A basic framework of Self-Driving Network data analysis and closed-loop network automation [1,2]. tant step for traffic data analytics is network monitoring Figure 1 shows the framework of Self-Driving Network. which collects the traffic information. Recent works [3–5] start to build network data analyt- This paper focuses on software network monitoring ics platforms and provide logically centralized abstrac- in the data plane. Software network monitoring is part tion for learning applications. Therein, the first impor- of software network processing, which runs network • Xiaohe Hu and Yifan Li are with the Department software at end hosts. Software network processing, of Automation, Tsinghua University, Beijing 100084, such as network virtualization, and network function China. E-mail: [email protected]; liyi- virtualization, is a pillar of multi-tenant cloud datacen- [email protected]. ters. It is flexible to develop new functionality and pro- • Yang Xiang, Buyi Qiu, and Kai Wang are with grammable model with software network processing. Yunshan Networks, Beijing 100084, China. E- mail: [email protected]; [email protected]; The combined constraints of cloud virtualization envi- [email protected]. ronment and traffic data analytics highlight three key • Jun Li is with Research Institute of Information Technol- requirements for software network monitoring. ogy, Tsinghua University, Beijing 100084, China. E-mail: (1) Noninterference. The intention of monitoring is [email protected]. to facilitate network management not to interfere the ∗ To whom correspondence should be addressed. original network delivery, i.e., forwarding, especially 2 Tsinghua Science and Technology, xxxxx 20xx, 2x(x): xxx–xxx in end hosts which have shared and limited resources streaming is to realize high efficiency. Trident incor- for network processing. Moreover, mixed monitoring porates a wildcard-match fast path to improve average and forwarding logic increases the complexity of opera- classification performance. A novel hash-based packet tion and troubleshooting. (2) Comprehensiveness. Self- classification algorithm, Unified Space Search (USS), Driving Network relies on a comprehensive knowledge and a corresponding cached flow form, uniflow, are pro- of traffic and also perception algorithms need to work at posed. USS maps original flow entries to unified non- different packet granularities from flow-level header to overlapping flow entries, i.e., uniflows, which can be application-level payload. For example, flow schedul- stored in one hash table. Fitting well with fast-path flow ing [6, 7] bases on flow statistics and deep inspection caching and classification, uniflows and USS achieve [8,9] mines and matches payload signature patterns. (3) high cache hit rate and near single-hash-lookup speed High efficiency. Software network processing is both with limited memory usage. In addition, a lightweight time and resource consuming. Software network mon- compression algorithm is proposed for header delivery, itoring should be efficient to handle traffic with limited saving bandwidth usage. resources, response traffic status quickly to support fast To mitigate the complexity of system deployment in control loop, and save network bandwidth due to the in- cloud, Trident adopts widely-used kernel module (the creasing traffic volume in cloud datacenters. same interface as tcpdump) and requires no additional Previous works can be categorized into two direc- kernel dependencies. It has been deployed in produc- tions: (1) direct streaming, which sends original traffic tion networks of several Tier-IV datacenters and pro- to remote analyzers from switches by mirroring [10] or vides a stronger capability of network traffic analysis. configured forwarding rules [11,12]. (2) local counting, Currently, Trident implementation monitors 200Kpps which runs local algorithms to count traffic and sends traffic for header delivery consuming at most 0.3 core statistics data to collectors, such as, hash-based [13,14], of Intel E5 CPU. and sketch-based [15]. Although direct streaming can The rest of this paper is organized as follows: Section provide comprehensive packet information, it suffers 2 describes the background of network monitoring, re- from high resource consumption and interferes with for- lated work, and the motivation of Trident design. Sec- warding, which degrades original forwarding perfor- tion 3 introduces Trident system architecture and de- mance. On the other hand, local counting improves scribes the proposed algorithms and Trident modules. monitoring efficiency with careful data structure design, Section 4 presents Trident implementation and current while it tailors the header structure and fails to support limitation. Section 5 shows the evaluation. This paper full packet view. None of the various existing software is closed by conclusion and future work in Section 6. monitoring solutions meet all the requirements. This paper proposes Trident, a novel software net- 2 Background work monitoring approach at the host, realizing the non- interference and comprehensiveness requirements. Tri- Network monitoring collects traffic data for better un- dent integrates the design of off-path monitoring and derstanding and management of the running networks. configurable streaming. It is decoupled from forward- Monitoring tools [17–19] have been embedded within ing path and trades the overhead of copying incoming network elements such as servers, switches, and routers packets for noninterference. When shortage of CPU re- for several decades. Network monitoring schemes sources happens due to competition from forwarding, evolve with the development of programmable network- Trident adaptively samples traffic to save resources for ing and datacenter networking. Recent works include forwarding and guarantees its noninterference. Trident designing expressive monitoring primitives and/or in- provides full packet view by streaming the monitored terfaces [4, 5, 14, 20, 21], optimizing algorithm and/or packets and interacts with traffic analyzers flexibly with system [14, 15, 22–25] to improve scalability with policy-oriented programming model. Analyzers can de- large traffic volume and limited resources, and explor- fine desired packets with match-action rules and get ing monitoring supported functionalities such as near- packets at different granularities from header to pay- optimal traffic engineering [26, 27] and network-wide load. troubleshooting [24, 25, 28]. The main technical challenge of host monitoring de- Data plane network monitoring has hardware form sign with the new approach of off-path configurable (in commodity switches) and software form (at end Xiaohe Hu et al.: Trident: Efficient and Practical Software Network Monitoring 3 Local Counting Direct Streaming Hash-based: UMON [13], On-path-FCAP [30] Port mirroring: OpenStack Tap-as-a-Service [10] On-Path Sketch-based: On-path-SMON [30] Configured forwarding rules: Open vSwitch [11], VFP [12] Hash-based: Trumpet [14], Off-path-FCAP [30] Off-Path Configured monitoring policies: Trident Sketch-based: SketchVisor [15], Off-path-SMON [30] Table 1 Summary of software network monitoring work in the data plane hosts). Monitoring schemes adopted in hardware and Tuple List Hash Tables software are similar. On hardware monitoring, Open- Rule X Field Y Field (Mask Vectors) Sample [29], Planck [27] and Everflow [25] directly R1 100 010 [3, 3] R1 R2 stream data packets to remote analyzers by sampling or R2 111 001 [2, 3] R3 forwarding rules. FlowRadar [22] and OpenSketch se- R3 11* 010 ries works [20,21,23] embed optimized hash and sketch [2, 0] R4 logic into
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages12 Page
-
File Size-